NotCVE - vendor:"Python Software Foundation" product:"CPython" version:" >= 3.10.0

Page 2 of 10 results (0.006 seconds)

CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0

CVE-2024-0397 – Memory race condition in ssl.SSLContext certificate store methods

https://notcve.org/view.php?id=CVE-2024-0397

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. Se descubrió un defecto en el módulo “ssl” de Python donde existe una condición de ejecución de memoria con los métodos ssl.SSLContext “cert_store_stats()” y “get_ca_certs()”. La condición de ejecución se puede desencadenar si los métodos se llaman al mismo tiempo que se cargan los certificados en SSLContext, como durante el protocolo de enlace TLS con un directorio de certificados configurado. Este problema se solucionó en CPython 3.10.14, 3.11.9, 3.12.3 y 3.13.0a5. • http://www.openwall.com/lists/oss-security/2024/06/17/2 https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524 https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286 https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab https://github.com • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

CVE-2024-4032 – Incorrect IPv4 and IPv6 private ranges

https://notcve.org/view.php?id=CVE-2024-4032

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. El módulo "ipaddress" contenía información incorrecta sobre si ciertas direcciones IPv4 e IPv6 estaban designadas como "accesibles globalmente" o "privadas". Esto afectó las propiedades is_private e is_global de las clases ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address y ipaddress.IPv6Network, donde los valores no se devolverían de acuerdo con la información más reciente de los Registros de direcciones de propósito especial de la IANA. CPython 3.12.4 y 3.13.0a6 contienen información actualizada de estos registros y, por lo tanto, tienen el comportamiento previsto. • http://www.openwall.com/lists/oss-security/2024/06/17/3 https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8 https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3 https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906 https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3 https://github.com • CWE-440: Expected Behavior Violation CWE-697: Incorrect Comparison •

CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0

CVE-2024-4030 – tempfile.mkdtemp() may be readable and writeable by all users on Windows

https://notcve.org/view.php?id=CVE-2024-4030

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. En Windows, un directorio devuelto por tempfile.mkdtemp() no siempre tendría permisos configurados para restringir la lectura y escritura en el directorio temporal por parte de otros usuarios, sino que normalmente heredaría los permisos correctos de la ubicación predeterminada. • https://github.com/python/cpython/commit/35c799d79177b962ddace2fa068101465570a29a https://github.com/python/cpython/commit/5130731c9e779b97d00a24f54cdce73ce9975dfd https://github.com/python/cpython/commit/66f8bb76a15e64a1bb7688b177ed29e26230fdee https://github.com/python/cpython/commit/6d0850c4c8188035643586ab4d8ec2468abd699e https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a759033e https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7df070d https://github.com/python/cpython/commit/91e3669e01245185569d09e9e6e11641282971ee https://github. • CWE-276: Incorrect Default Permissions •

CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0

CVE-2023-6597 – python: Path traversal on tempfile.TemporaryDirectory

https://notcve.org/view.php?id=CVE-2023-6597

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. Se encontró un problema en la clase CPython `tempfile.TemporaryDirectory` que afecta a las versiones 3.12.2, 3.11.8, 3.10.13, 3.9.18 y 3.8.18 y anteriores. La clase tempfile.TemporaryDirectory eliminaría la referencia a enlaces simbólicos durante la limpieza de errores relacionados con permisos. Esto significa que los usuarios que pueden ejecutar programas privilegiados pueden modificar los permisos de los archivos a los que hacen referencia los enlaces simbólicos en algunas circunstancias. • http://www.openwall.com/lists/oss-security/2024/03/20/5 https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25 https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5 https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82 https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b https://github.com • CWE-61: UNIX Symbolic Link (Symlink) Following •

CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0

CVE-2024-0450 – Quoted zip-bomb protection for zipfile

https://notcve.org/view.php?id=CVE-2024-0450

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Se encontró un problema en el módulo `zipfile` de CPython que afecta a las versiones 3.12.2, 3.11.8, 3.10.13, 3.9.18 y 3.8.18 y anteriores. El módulo zipfile es vulnerable a bombas zip "superpuestas entre comillas" que explotan el formato zip para crear una bomba zip con una alta relación de compresión. Las versiones fijas de CPython hacen que el módulo zipfile rechace archivos zip que se superponen con entradas en el archivo. • http://www.openwall.com/lists/oss-security/2024/03/20/5 https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675 https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 https://github.com • CWE-405: Asymmetric Resource Consumption (Amplification) CWE-450: Multiple Interpretations of UI Input •

1 2